The software Wireshark

This software will allow us to examine the flow of data exchanged on a communication channel between a client and a server by capturing the packets circulating on the physical network between the two entities.

Note: Although Wireshark is capable of both capturing and analyzing, we will use a second tool on the Unix server used in Practical Works to capture. Indeed Wireshark is a graphical software and the Unix server only offers a command line interface, Wireshark can not be installed. This second tool is "tcpdump. It will allow us to save the capture in a file that we will then transfer to our computer (Windows or MAC) to analyze it with Wireshark.

Capture via tcpdump.

"tcpdump" is a command that needs "root" rights (on Unix) to be able to spy on network interfaces. From a user other than "root", it is therefore necessary to prefix the command with "sudo" (and obtain, from the administrator, the right to use this command in this way, which is already the case on the Junia Practical Works Unix server).

The usual arguments of the command are:

• "-w file" where file is the name of the file under which the capture must be performed. This argument is mandatory for our use case.
• "-i interface" where interface is the name of the interface that we want to spy on.
• A filtering expression placed between quotes can also be added at the end of the command. Here are some examples of expressions that can possibly be combined using the "and" and "or" operators:
• "host ip" where ip is the IP address that must be in the source or destination address in the captured frames.
• "port number" where number is the source or destination port number (tcp or udp) in the captured frames.

The following arguments can be added in order to limit the capture:

• "-c number" where number is the maximum number of frames that one wants to capture before closing the command.
• "-G time" where time is the maximum time expressed in seconds during which one wants to capture frames before closing the command.

To capture (and record in the file capture.pcap) the communications passing through the loopback interface (named "lo"), we will use the following command:

sudo tcpdump -i lo -w capture.pcap

To capture (and record in the file capture.pcap) the communications with port 2000 of the IP address 10.34.161.21, we will use the following command:

sudo tcpdump -w capture.pcap 'host 10.34.161.21 and port 2000'

Transfer via scp.

To transfer, from the server with IP address "10.34.161.21", the file "capture.pcap" located in the directory "/home/isenXX", using the access rights of the user "isenXX", to the current directory of our machine, we will use the following command:

scp isenXX@10.34.161.21:/home/isenXX/capture.pcap .

Analysis with Wireshark.

After loading the capture file to be analyzed in Wireshark, select a packet corresponding to the TCP channel you want to spy on and, through the context menu, select the "TCP Stream" item.

This will give you the complete sequence of the dialogue between the client and the server, with the content sent by the client written in red and that sent by the server in blue.